While it is reasonable to accept that an organization's interest in risk management is proportional to its perception of risk and threats, it is likewise reasonable to accept that in today's electronically inter-connected environment, any organization offering goods and/or services over a digital network is under increasing pressure from customers, partners, and/or regulating authorities to reduce risk and provide a secure infrastructure. Risk management can be defined as a process for identification, analysis, control and communication of risks. Nowadays, the process of risk management is a much more complex and evolving challenge than it was only twenty years ago. For example, in the past, most computers were kept in locked rooms and managed by personnel who ensured that the computers were carefully managed and physically secured. Network links to outside the physical boundary of the organization were unusual. Threats were well understood and risks were mitigated using traditional approaches (for example, locked doors, trained personnel, and accounting for resources). The nature of threats is much different today. Network architecture vulnerabilities, heterogeneous operating environments, configuration intensive software, a shortage or trained personnel, the rapid growth in the number of Internet connected devices, and the rapid growth in the number of Internet users represent only a few of the challenges facing today's organizations.
Regardless of changes in the nature of the threat, the use of a risk-management methodology continues to allow an organization to make informed decisions about the allocation of scarce resources to areas that are most at risk to reduce the risk. Risk management is an ongoing activity that includes phases for assessing risk, implementing controls, and monitoring effectiveness.
Risk assessment is widely used in both the public and private sectors to support decision-making processes. Risk assessment is also widely used in support of regulatory requirements. Traditionally, risk assessment is a process for tying together information gathered about assets, their economic values and their associated vulnerabilities. The sum of this effort is to produce a measure of the risk to the organization with respect to a given project, product, system, or service.
Of the many risk-assessment methodologies employed, the most common is an ad hoc methodology (e.g., someone believes a risk exists and addresses that risk). While this form of qualitative risk assessment is acceptable for small organizations, it is not appropriate or effective for larger organizations. In fact, by addressing one type of risk, larger organizations may introduce new vulnerabilities into other parts of its heterogeneous network electronic environment. Other conventional methods of risk assessment include the following:                Failure Mode and Effects Analysis: This method examines each potential failure condition in a system to determine the severity of the failure's impact to the system.        HAZOP (Hazard and Operability): This method examines process and engineering intentions to assess the potential hazards that can arise from deviations from design specifications.        Historical Analysis: This method examines frequency of past incidents to determine the probability of a condition recurring.        Human-Error Analysis: This method examines the possible impact of human intervention and error on a system.        Probabilistic Risk Assessment: This method examines the probability that a combination of events may lead to a particular condition.        Tree Analysis: This is a family of analysis methods, such as event tree attack tree, management-oversight tree and fault tree. This family of methods focuses on processes or a sequence of events that may lead to a particular condition.        
Regardless of which risk assessment methodology is chosen, the assessment and management of risk traditionally follow a multi-phase approach, the underpinning of which is the selection of “best” or “essential” practices that represent management objectives. The following is a list of various phases used in conventional risk assessment methods:    1. Inventory and definition. In order to measure the theoretical impact of a risk, the organization determines its assets (e.g., electronic devices, electronically stored data, etc.) that are involved in support of critical processes. Once assets have been identified, a value is assigned to each asset. This value is not only monetary, but also may be tied to loss of reputation or loss of trust.            There are a number of conventional automated tools which can assist the organization in accomplishing this phase of the process. These tools, including Openview (manufactured by Hewlett-Packard Co. of Palo Alto, Calif.) and Visio® Enterprise (manufactured by Microsoft Corp. of Redmond, Wash.), are able to map network systems and devices and produce reports showing OS (operating system) type, revision level and the services that a system is making available to a network.            2. Vulnerability and threat evaluation. In this phase, the organization is examined for weaknesses that could be exploited by an unauthorized outsider, and the chances of an outsider attacking those weaknesses. Vulnerability and threat assessment is typically performed by an internal audit department or third party auditor using a set of assessment criteria. Criteria represent a standard of practice which should be met in order to assure effective security. Auditors use criteria to evaluate if vulnerabilities exist within the target of evaluation and whether, in phase three, if countermeasures exist to mitigate the vulnerability. Some forms of assessment criteria, like Common Criteria (set forth by Decisive Analytics of Arlington, Va.) and Orange Book (set forth by the U.S. Department of Defense in “Trusted Computer System Evaluation Criteria”), pro-actively delineate a methodology for building and implementing trust within systems as well as a methodology for assessing compliance. Other sets of assessment criteria, like COBIT (set forth by the Information Systems Audit and Control Foundation) and SAS 70 (set forth by the U.S. Security and Exchange Commission) are more reactive in nature, used primarily for assessment purposes only.            Once a list of vulnerabilities has been delineated, each type of vulnerability is ranked according to the probability that it could be exploited by an unauthorized outsider. This probability is the threat associated with vulnerability. Methods for determining threat level abound and can be as simple as arbitrarily associating a value to the threat based on the frequency of the threat reported by such organizations as CERT (a center of Internet security expertise at the Software Engineering Institute), SANS (System Administration, Networking, and Security Institute), or the FBI (U.S. Federal Bureau of Investigation). The combination of vulnerabilities and threats provides the level of inherent risk, or the risk that exists in the absence of any control measures.        There are a number of tools available to electronically scan electronic devices and assess vulnerabilities within electronic devices. While tools of this nature are useful in identifying top vulnerabilities related to platform and/or service configurations, the tools cannot identify vulnerabilities within platforms or services not visible to the scan. Furthermore, these tools do not permit the user to create relationships between the asset at risk and its environment (i.e., other devices to which the asset connects, the physical location in which a device resides, or the network on which it participates.) Without the creation of these relationships, it is ineffective in properly measuring the impact of a risk or appropriately choosing effective controls.            3. Evaluation of countermeasures. Phases one and two represent the framework for risk assessment. Phases three, four and five provide the link between risk assessment and a more comprehensive risk management strategy. Starting with this particular countermeasure phase, a security practitioner determines whether or not countermeasures exist to mitigate the risk identified and quantified during phases one and two.            Countermeasures, commonly referred to as controls, are implemented in order to reduce risk to levels acceptable to the organization. The implementation of a countermeasure is traditionally a risk/value proposition. In addition to the costs associated with acquisition or implementation, there are also costs associated with usability, scalability, operations and maintenance. All these costs are considered when balancing cost of controls versus inherent risk. Note that there is always a measure of residual risk because of imperfections in the countermeasure that are available.        Evaluation of countermeasures is typically carried out by an evaluator (e.g., an internal audit department often in cooperation with a third party assessor). As in phase two, using sets of criteria defined by regulatory or standard bodies (e.g., BS7799, COBIT, SAS70, HIPAA), the evaluator chooses countermeasures which apply to the particular environment and then weigh their effectiveness.        This particular phase is an extremely time-intensive, labor-intensive, subjective process. Often countermeasures themselves have limited effectiveness but are chosen because they seem to be an easy, cost-effective alternative. In fact, the choice often fails to take into consideration downstream impact of the countermeasure implementation or other hidden costs.            4. Decision. Once risk has been assessed and identified, the organization can choose to accept the risk, mitigate the risk, or transfer the risk. This phase of the process allows an organization to evaluate the cost of the countermeasure versus the value of the asset to be protected by the countermeasure.            As with phase 3, this phase is extremely time-intensive, labor-intensive, and subjective. Often the decision fails to take into account ramifications of the choice in the context of other assets within the environment.            5. Ongoing Monitoring. Ongoing monitoring is an element of the risk management methodology. First, because implementation of controls may introduce risk in another area of the organization, it is desirable to monitor the effect of the implementation. Second, over time, the risk assessment itself loses relevancy because of changes in threats, or deterioration in the effectiveness of the control. Third, as the organization introduces new systems, services, and/or clients, the organization introduces new vulnerabilities into its electronic network environment.            There are currently a number of organizations, for example, Internet Security Systems, Inc. of Atlanta, Ga., Security Focus Inc. of San Mateo, Calif., and Trusecure, Inc. of Herndon, Va., that provide a monitoring service. While these services are effective in providing real time threat intelligence regarding electronic vulnerabilities to their client, these services cannot provide accurate monitoring in the context of other systems and services to which the target asset may be linked.        
Notwithstanding the above-described conventional systems, no single methodology or software product includes the functionality necessary to automate risk management. While different conventional methods (example products of which have been mentioned above) may perform one or more of the phases of the process, such as inventory or electronic vulnerability analysis, no conventional method is capable of, among others, supporting all elements of a comprehensive risk management program.